CVE-2018-11087 Bug Report

[VP-66]

Hi Team,

I am doing some research into the CVE-2018-11087 and looking for the bug report that first identified/mentioned this issue. However, after doing a lot of research, I was not able to find this bug report/issue in this repository.

Any guidance/help as to where I could find this information would be highly helpful!

I have found the fixing commit, however, which is: aff4d0a

The jira task mentioned in the commit also does not work (ie, no redirection to relevant issue: https://jira.spring.io/browse/AMQP-830)

Any help would be great,
Thanks!

[artembilan]

It is very old CVE though, therefore indeed something might be lost.
On the other hand it is better to not report bug for security vulnerability into the public. It can definitely cause a demage to those affectected, but without an attack yet. Plus it is very good practice to hide exploit details as much as possible. So, I’m not sure what is your goal, but that commit should be enough for community to know that fix is there.

[VP-66]

Thanks for your reply @artembilan !

I understand the benefits for not reporting the bug to the public as it can easily be exploited then.

The sole purpose of this task is for a university project related to the processing of identifying and reporting CVE in open-source projects. As for this, we are required to find the corresponding bug report for the fixing commit.

Thanks for your help !

[artembilan]

Right, as I said: with time and evolution something might be lost. We have migrated from JIRA while back, but here is related migrated GH issue: #2373.

Also as we agreed , you can see that not too much info in the issue. Just because it is a security vulnerability. I just made a search for that JIRA ticket number. So, in fact it is not lost 😅.

[VP-66]

That is really helpful, @artembilan !

That is the same GH issue I had come across whilst doing my research - just one last thing would be great to confirm is that the JIRA ticket is not visible to the public, correct? If I am incorrect, is there any way I can search up the JIRA ticket number from my end?

Again, thanks a lot for your guidance :)

[artembilan]

The JIRA is not there for the reason you can see when you follow its link. Im not sure why you are eager for that JIRA, but GH issues have same meaning as JIRA. Plus that ticket has had exactly the same content you see in that GH issue.
What is your goal here, please?

[VP-66]

Hi @artembilan , that is all good I just wanted to see if there was any discussion related to how the bug was found/fixed - including any sort of suggestions.

That is all good though, thanks a lot for all your help. Really appreciated :)

[artembilan]

“How the bug was found” is 100% exploit and that is not what I would recommend to share with anyone. “How it was fixed” is also some kind of signal for hackers to crack all those who have not updated yet. So, that is also something we try to keep as obfuscated as possible.
Therefore don’t try to find clues in this project about origins of this or that CVE.

[VP-66]

@artembilan that makes so much sense, thanks a lot!!

[acogoluegnes]

I don't remember the exact origin of the CVE, but here is some extra information:

• the related GH issue for the RabbitMQ AMQP 091 Java client: Make it easier to perform peer verification when TLS is enabled rabbitmq/rabbitmq-java-client#394
• the commit that fixed the issue: rabbitmq/rabbitmq-java-client@fcc3dbb

The idea was to make hostname verification easier to activate.